| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260203184835.3619101-1-rjethwani@purestorage.com>
Date: Tue, 3 Feb 2026 11:48:31 -0700
From: Rishikesh Jethwani <rjethwani@...estorage.com>
To: netdev@...r.kernel.org
Cc: saeedm@...dia.com,
tariqt@...dia.com,
mbloch@...dia.com,
borisp@...dia.com,
john.fastabend@...il.com,
kuba@...nel.org,
sd@...asysnail.net,
davem@...emloft.net,
pabeni@...hat.com,
edumazet@...gle.com,
leon@...nel.org,
Rishikesh Jethwani <rjethwani@...estorage.com>
Subject: [PATCH v6 0/4] tls: Add TLS 1.3 hardware offload support
Hi all,
This patch series adds TLS 1.3 support to the kernel TLS hardware offload
infrastructure, enabling hardware acceleration for TLS 1.3 connections
including KeyUpdate (rekey) support. It also adds a selftest for
validating hardware offload functionality.
Background
==========
Currently, the kernel TLS device offload only supports TLS 1.2. With
TLS 1.3 being the current standard and widely deployed, there is a
growing need to extend hardware offload support to TLS 1.3 connections.
TLS 1.3 differs from TLS 1.2 in its record format:
TLS 1.2: [Header (5)] + [Explicit IV (8)] + [Ciphertext] + [Tag (16)]
TLS 1.3: [Header (5)] + [Ciphertext + ContentType (1)] + [Tag (16)]
The key difference is that TLS 1.3 eliminates the explicit IV and
instead appends the content type byte to the plaintext before
encryption. This content type byte must be encrypted along with the
payload for proper authentication tag computation per RFC 8446.
Patch 1: TLS 1.3 hardware offload support
=========================================
Changes to tls_device.c, tls_device_fallback.c, and tls_main.c:
- Extended version validation to accept TLS_1_3_VERSION in both
tls_set_device_offload() and tls_set_device_offload_rx()
- Modified tls_device_record_close() to append the content type
byte before the authentication tag for TLS 1.3 records
- Modified tls_device_reencrypt() to use prot->prepend_size and
prot->tag_size instead of hardcoded TLS 1.2 values
- Pre-populated dummy_page with all 256 byte values for memory
allocation failure fallback path
- Updated tls_device_fallback.c to handle TLS 1.3 IV construction
(XOR with sequence number) and version-specific AAD sizes
- Rekey handling: HW offload key update (rekey) is not yet supported.
Patch 2: Hardware offload key update support
============================================
Changes to include/net/tls.h, net/tls/tls.h, tls_device.c, tls_main.c,
and tls_sw.c:
- Extended tls_set_device_offload() and tls_set_device_offload_rx()
with new_crypto_info parameter for key updates
- During rekey, the old HW context is deleted (tls_dev_del) and a new
one is added (tls_dev_add) with the updated key material
- Graceful degradation: if HW key update fails, the connection
gracefully degrades to software:
* TX: TLS_TX_DEV_CLOSED is set and sk_validate_xmit_skb switches to
tls_validate_xmit_skb_sw for software encryption
* RX: TLS_RX_DEV_DEGRADED and TLS_RX_DEV_CLOSED are set for software
decryption
* In both cases, tx_conf/rx_conf remains TLS_HW
- Record sequence management: during TX rekey, old pending records are
deleted and unacked_record_sn is reset to the new rec_seq
- Split tls_set_sw_offload() into tls_sw_ctx_init() and
tls_sw_ctx_finalize() to allow the HW offload RX path to
initialize SW context first, attempt HW setup, then
finalize (memzero new_crypto_info, call tls_finish_key_update)
- Added TLS_TX_DEV_CLOSED flag to track TX hardware context state,
to avoid double tls_dev_del call, symmetric with existing
TLS_RX_DEV_CLOSED.
Patch 3: mlx5 driver enablement
===============================
- TLS 1.3 version detection and validation with proper capability checking
- TLS 1.3 crypto context configuration using MLX5E_STATIC_PARAMS_CONTEXT_TLS_1_3
- Correct IV handling for TLS 1.3 (12-byte IV vs TLS 1.2's 4-byte salt)
- Hardware offload for both TLS 1.3 AES-GCM-128 and AES-GCM-256
Patch 4: Selftest for hardware offload validation
=================================================
Adds tls_hw_offload, a two-node test program for validating TLS hardware
offload. Unlike existing selftests that use loopback or veth pairs (which
don't trigger hardware offload), this test requires separate server and
client machines connected via offload-capable NICs.
Features:
- Server/client mode for two-node testing
- TLS 1.2 and TLS 1.3 support
- AES-GCM-128 and AES-GCM-256 cipher selection
- TLS 1.3 KeyUpdate (rekey) testing with configurable count
- Verification of /proc/net/tls_stat counters
- Echo protocol with data integrity verification
Testing
=======
Tested on Mellanox ConnectX-6 Dx (Crypto Enabled).
Both TX and RX hardware offload verified working with:
- TLS 1.3 AES-GCM-128
- TLS 1.3 AES-GCM-256
- Multiple KeyUpdate cycles (rekey)
Please review and provide feedback.
Thanks,
Rishikesh
Rishikesh Jethwani (4):
tls: add TLS 1.3 hardware offload support
tls: add hardware offload key update support
mlx5: TLS 1.3 hardware offload support
selftests: tls: add two-node hardware offload test
.../mellanox/mlx5/core/en_accel/ktls.h | 8 +-
.../mellanox/mlx5/core/en_accel/ktls_txrx.c | 14 +-
include/net/tls.h | 4 +
net/tls/tls.h | 15 +-
net/tls/tls_device.c | 323 +++-
net/tls/tls_device_fallback.c | 36 +-
net/tls/tls_main.c | 31 +-
net/tls/tls_sw.c | 77 +-
tools/testing/selftests/net/Makefile | 1 +
.../selftests/net/tls_hw_offload.README.txt | 109 ++
tools/testing/selftests/net/tls_hw_offload.c | 1293 +++++++++++++++++
11 files changed, 1789 insertions(+), 122 deletions(-)
create mode 100644 tools/testing/selftests/net/tls_hw_offload.README.txt
create mode 100644 tools/testing/selftests/net/tls_hw_offload.c
--
2.25.1
Powered by blists - more mailing lists